Hacked!

Yesterday, the animal shelter called me. "Our website doesn't work."

Their website is hosted on my server, and I maintain it for them so I went to take a look. The first problem was easy to find: their domain name simply went to a GoDaddy.com landing page. "Looks like the domain name must have expired or something," I said. I'd seen it a dozen times before. "Just make sure the credit card didn't expire or something like that."

After fixing that, the shelter manager called me back. "It's pointing where it should, but they said it'd take a few minutes to update."

"Great," I said, but that reminded me that I had a second temporary link I could use to view the site if the domain name was down. Just for the heck of it, I checked out the site, and was greeted by flashing images and random text. Oh no! Their site has been hacked! Thousands upon thousands of mostly-empty folders with random names clogged their account. The shelter's own files and folders remained, except for the home page which had been replaced with the hacker's own page.

This was a kick in the pants. As security-conscious as I am, I had failed somewhere. Doing a little research, it wasn't hard to see where. When I set up their FTP account, I had chosen too easy of a password. It was a non-dictionary word that I had appended some numbers on to...but the non-dictonary word was their domain name and I hadn't stopped to think that a brute-force attack might toss that into the mix.

That wasn't the primary problem. Their unique password I could change, but I realized I had a bigger security hole. All the sites on my server that need to use the database use the same username/password to access it. If the hackers cared, they could glance at the database configuration file in the site that they hacked and get into the database, where they'd have access to every site's data. There wasn't anything particularly sensitive in there that wasn't encrypted, but still not a good thing.

The first thing I did was change the password on the account. The second thing was change the database password. The third thing was to give each site a unique password to the database with limited access. That way, if one site was hacked, it couldn't spread to other sites, and it would be easy to cut off that single access.

Fortunately, I keep good backups so it was easy enough to restore the hacked site. The hardest part was wading through the massive number of folders the hackers had created.

I wish I had fixed that particular security hole BEFORE something happened, but at least it's better now.

Wordcount Widget!

Note the awesome wordcount widget I added to the right sidebar. This widget is awesome because it AUTOMATICALLY tracks the wordcount on my latest work-in-progress, no manual updating needed.

For those who are interested in the technical side of it, here's how it works:

1. My computer automatically backs up all my files to a remote server every night.
2. Since I use OpenOffice, the document in question is in .odt format. I discovered that a nice feature of this format is that the word count of the document is availabe in the raw document code (search for "meta:word-count").
3. The image you see is actually a PHP script on the same remote server. When viewed in a browser, the script extracts the wordcount directly from the document and generates the image on the fly.

Result: